Privacy Badger support

[nolanlawson]

Privacy Badger thinks that Pinafore is running "third-party trackers" because of CORS requests to instances. Sigh...

Backstory: https://mstdn.io/@lychee/99830242316872578

[nolanlawson]

Apparently there is a workaround if I host a .well-known/dnt-policy.txt file on the server: https://mastodon.xyz/@xor/99830613210517556

[nolanlawson]

Apparently there is a workaround if I host a .well-known/dnt-policy.txt file on the server: https://mastodon.xyz/@xor/99830613210517556

[nolanlawson]

Hmmm unfortunately I may not actually be able to abide by the rules of the dnt-policy.txt because it says:

Logs with DNT Users' identifiers removed (but including IP addresses and
User Agent strings) may be retained for a period of 10 days or less,
unless an Exception (below) applies.

And I'm currently using now.sh, which stores 1GB of server logs by default on the Premium plan I'm using, and it doesn't seem possible to reduce that.

Maybe for now it's best if folks just disable Privacy Badger on Pinafore.

[nolanlawson]

Hmmm unfortunately I may not actually be able to abide by the rules of the dnt-policy.txt because it says:

Logs with DNT Users' identifiers removed (but including IP addresses and
User Agent strings) may be retained for a period of 10 days or less,
unless an Exception (below) applies.

And I'm currently using now.sh, which stores 1GB of server logs by default on the Premium plan I'm using, and it doesn't seem possible to reduce that.

Maybe for now it's best if folks just disable Privacy Badger on Pinafore.

[nolanlawson]

On second reading:

This policy document allows an operator of a Fully Qualified Domain Name
("domain") to declare that it respects Do Not Track as a meaningful privacy
opt-out of tracking, so that privacy-protecting software can better determine
whether to block or anonymize communications with this domain.  This policy is
intended first and foremost to be posted on domains that publish ads, widgets,
images, scripts and other third-party embedded hypertext (for instance on
widgets.example.com)

So I believe this means dnt-policy.txt would need to be hosted on each individual instance, not pinafore.social. 😞

[nolanlawson]

On second reading:

This policy document allows an operator of a Fully Qualified Domain Name
("domain") to declare that it respects Do Not Track as a meaningful privacy
opt-out of tracking, so that privacy-protecting software can better determine
whether to block or anonymize communications with this domain.  This policy is
intended first and foremost to be posted on domains that publish ads, widgets,
images, scripts and other third-party embedded hypertext (for instance on
widgets.example.com)

So I believe this means dnt-policy.txt would need to be hosted on each individual instance, not pinafore.social. 😞

[nolanlawson]

I just tested Privacy Badger on Firefox Dev Edition 60 with a variety of instances and couldn't repro the issue where users are unable to add an instance due to PB blocking. For all instances I tested (mastodon.social, toot.cafe, malfunctioning.technology, freedom.horse) it called some of them "potential trackers" but didn't block them by default.

Since this appears to be something that Pinafore itself cannot solve (the instances can solve it by adding the dnt-policy.txt file, and since users can configure PB to work correctly, it seems best just to close this issue for now.

[nolanlawson]

I just tested Privacy Badger on Firefox Dev Edition 60 with a variety of instances and couldn't repro the issue where users are unable to add an instance due to PB blocking. For all instances I tested (mastodon.social, toot.cafe, malfunctioning.technology, freedom.horse) it called some of them "potential trackers" but didn't block them by default.

Since this appears to be something that Pinafore itself cannot solve (the instances can solve it by adding the dnt-policy.txt file, and since users can configure PB to work correctly, it seems best just to close this issue for now.